Process and device for permitting selective access to a security system

ABSTRACT

A process and arrangement that gives selective access to a security system, particularly in a payment system using debit cards, credit cards, or withdrawal of funds contained in a so-called smart card, and in particular on a chip card. The system comprises at least one first device and at least one second device that must be used in a correct configuration with one another in order to gain access. Access is gained by verifying that a certain coded key K2, held in the second device, is recognized as being valid by the first device, after comparing it with a renewing key K1 and previous versions of the code key K1 contained in the first device.

TECHNICAL FIELD

This invention relates to selective access to a security system, and inparticular to a payment system using debit cards, credit cards, or forthe withdrawal of funds contained on a so-called smart card, and inparticular for chip cards.

BACKGROUND OF THE INVENTION

The system with which the present invention is concerned, comprises atleast one initial device and at least one second device that must bebrought into a correct configuration with the initial device in order toobtain access. Access is obtained by verifying that a coded keyassociated with the second device is recognized as valid by the firstdevice, after comparison with a key found in the first device.

By way of example, in the case of payment systems with which it ispossible to withdraw funds recorded on a credit card, which are referredto as an "electronic purse" and which contains the second devicedescribed above, the first device has payment terminals, each of whichhas one or more so-called "global" coded keys that are common to variouspayment terminals. Each electronic purse, in addition to any securitycodes, contains a memory for the monetary funds which may be withdrawn alittle at a time or all in one sum, and then reloaded, e.g. by means ofa bank computer terminal, as well as a memory for one or more codedkeys. The description of a coded key below is given by way ofclarification. One or more other keys may be used, or some otherappropriate procedure may be employed.

When a payment is to be made, the electronic purse or card mustcommunicate with a payment terminal. The payment terminal, beforepermitting the withdrawal of funds from the electronic purse, andpossibly also for the purpose of double-checking the security codes,calculates the supposed key of the card on the basis of the global keyin the terminal and on the basis of a code that identifies theindividual card (for instance its serial number). The terminal thenchecks that this supposed key corresponds to that stored in theelectronic purse card and check that it has been loaded at the time ofproduction or issue. This calculation is carried out on the basis of achosen algorithm that cannot be reversed. That is, if one knows thecard's key and its code, it is not be possible to discover the globalkey.

Although this irreversible calculation does not make it possible for athird party to decipher the key and the card code in order to identifythe global key, that third party could attempt to obtain the global keyfound in various terminals by some fraudulent means, and on the basis ofthat key to calculate the keys of all the cards in the system, thusobtaining or inventing their identifying codes, and then to issue falseelectronic purse cards which would be indistinguishable from genuinecards. Such actions would be prejudicial to the company and very costlyto monitor and combat. Under extreme circumstances, these fraudulentactions could result in the need to stop using the aforesaid system.

SUMMARY OF THE INVENTION

This invention is aimed at limiting the falsification of electronicpurse cards of the type described above and thus at eliminating theserious disadvantages that would result. To limit this, and thus toincrease the security system, it is necessary to be able, in aprogrammed fashion, to change the global key used by the paymentterminals, and this is easily effected since these terminals areregularly linked to a management center. However it is also necessary toupdate the key stored in the electronic purse cards in use in thesystem; but these are not all presented with sufficient regularity to apayment or bank terminal for their coded keys to be changed in a"synchronized" fashion with those of the payment terminals.

To resolve this problem of synchronized changing, the processcontemplated by this invention involves:

A successive renewal, at chosen intervals, of the first device's key.This new key is linked to the previous one by an irreversible functionwhereby, from a given key, it is only possible, in each instance, toobtain the preceding key in the renewal sequence and, by repeating thefunction, any previous keys.

If the comparison of the renewed key of the first device and the key ofthe second device does not indicate that the latter is valid, asuccessive search, by means of the repeated irreversible process, of theprevious keys of the first device can be performed, in order to comparethe previous keys with that of the second device; and

If this successive comparison does not verify the validity of the key ofthe second device, access can be barred.

This invention also covers a device for implementation of the precedingprocess, the device comprising at least one initial device and at leastone second device, where:

The second device contains the means for storing a key;

The first device contains:

Storage means for storing a key;

Production means for producing a new key for the first device. Theproduction means is linked with the means for storing for the purpose ofreplacing the key by the new key. The key is linked to the preceding keyby an irreversible function whereby, on the basis of a given key, it isonly possible in each instance to obtain the preceding key in therenewal sequence and, by repeating the function, any other previouskeys;

Repetition means for repeating the irreversible function in order tofind the previous keys of the first device. The repetition means islinked to the production means and/or to the storage means;

Comparison means for comparing the renewed keys and the previous keys ofthe first device to the key of the second device. The comparison meansare linked to the storage means and the repetition means;

Means of barring access, linked to the comparison means; and

Replacement means for possibly replacing the stored key in the storagemeans of the second device with a more recent key in the key renewalsequence. The replacement means are linked to the repetition means andto the access barring means.

Other details and special features of the invention are apparent fromthe description and illustrative drawing herein of a preferredembodiment, which is a non-exhaustive example of the process and oneparticular form of the facility made possible by the invention in thecontext of an electronic purse payment system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 represents a simplified functional layout of a security systemwhich implements a process and a facility made possible by theinvention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

With reference to FIG. 1, the process contemplated in the invention maybe used to advantage for such purposes as enhancing the security of anelectronic purse payment system 1 (which may take the form of aso-called chip card) and may be used alone or in combination with othersecurity processes. A known method of increasing this type of securityis to change the system's global key at planned intervals. This changeis facilitated for a payment terminal 2 and for a terminal 3 whichreloads the electronic purse card 1, used respectively for theelectronic withdrawal, in the context of a payment by this method, ofthe "money" recorded on the electronic card, and for replenishing thefunds available on the card, withdrawing the corresponding funds from abank account, for instance. In effect, the payment terminal 2 and thereloading terminal 3 are regularly in communication with the payment andsecurity system's management center 5, comprising the aforesaid listedcomponents 1 to 5, which are thus able to organize the change of keys.

The case of the electronic purse card 1 is a special one, however, dueto the fact that it may not be used regularly and that between twosuccessive uses several changes may have taken place in the global keyused in the payment terminals 2, resulting in the card containing alapsed key.

To resolve this problem one could require that the bearer of such anelectronic purse card 1 have his card validated, for example by means ofa bank or reloading terminal 3 before authorizing a new use for paymentby means of a payment terminal 2. However, the bearer of this electroniccard 1 will only become aware that the card is no longer valid, andneeds to be validated, when a payment is refused, e.g. in a store, withthe consequences one can readily imagine, even though the bearer isattempting to use the card 1 in good faith. This situation would soondiscourage the use of the payment system 6. The present invention avoidsthis type of inconvenience, at least in the majority of cases.

The payment and security system 6 can be regarded as comprising aninitial device 7 which includes, among other things, a management center5, at least one payment terminal 2 and at least one reloading or bankterminal 3, and a second device 8 which consists primarily of theelectronic purse 1 made, for example, in the form of a so-called chipcard.

To improve the security of the system, the process contemplated by thisinvention envisages a successive renewal, at chosen intervals of time,of the global key K1 stored in the first device 7. That is, the renewalis effected in all the payment terminals 2 and reloading terminals 3,for example, from the management center 5, in the context of its regularcommunication with these terminals 2, 3. A new global key K1(p) storedin the payment terminal 2 for a period of time (p) is linked to thepreceding global key K1(p-1) relating to the immediately precedingperiod (p-1) on the basis of an irreversible function F whereby, on thebasis of the determined key K1(p), it is only possible in each instanceto obtain the key K1(p-1) that comes immediately before it in therenewal sequence of the key K1. By repeating this function F, one canthen also obtain the key K1(p-2) on the basis of the key K1(p-1), and soon.

According to the invention, if the key K2(p-n), where n is a wholenumber equal to or greater than zero, of the electronic purse card 1 isnot regarded as valid when the comparison is carried out during period(p) on key K1(p) of the payment terminal 2, a successive search iscarried out, each time through the irreversible function F, in order toestablish, one at a time, the preceding keys K1(p-1), K1(p-2), etc.,used by the security system 6 so as then to compare them individuallywith the key K2(p-n) of the aforesaid electronic purse card 1.

If the successive comparison verifies the key K2(p-n) to be valid, forexample if it is equal to K1(p-n), and, where relevant, if any otherconditions of access are satisfied, access to the withdrawal of fundsfrom the electronic card 1 is authorized so that the terminal 2 caneffect a payment for a sum up to the maximum contained on the electronicpurse card 1. If the successive comparison fails to verify the validityof the key K2(p-n), instructions is given for barring the withdrawal offunds.

Ideally, if the successive verification determines the validity of theelectronic purse card's key K2(p-n), the process covered by thisinvention makes provision for the replacement of this key K2(p-n) by oneof the more recent keys of the payment terminal 2. The new key insertedinto the said electronic purse card could be the key K2(p) correspondingto the key K1(p) of the payment terminal in- period (p) with respect tothe accepted withdrawal. It might however be preferable to insert intothe electronic purse card 1 a key K2(p-1) corresponding to the keyK1(p-1) for the period (p-1) preceding it in the succession of keyrenewals. Thus, if another payment terminal 2 in the system 6 has notyet submitted its latest update and still has the key K1(p-1) in itsmemory, and if the electronic purse card 1 which has just been given thenew key K2(p-1) is used in conjunction with this other terminal 2, thevalidity of the electronic purse card would not be challenged. Thisvalidity would not however be recognized if the electronic purse card 1had contained a key K2(p) and the other terminal 2 a key K1(p-1), sincethe function F is irreversible and uses the key K1(p-1) of the otherterminal 2 to move backwards in search of the preceding keys. Thefunction F does not make it possible to determine a future key, nor doesit permit use of the key K2(p) of the electronic purse card 1 todetermine the preceding keys.

An advantage of the process contemplated by the invention is that thesearches and successive comparisons of previous keys K1(p-n) in thesecurity system are barred as from a certain maximum permitted degree ofage in (a whole number above zero). At the moment the system 6 can nowonly deal with the keys K1(p-n) for which 0≦n≦m, in order to:

prevent a validation, by the payment terminal 2, of an electronic pursecard 1 which has not been in use for a long time, with the possibilityof its successive validation by a bank terminal or by a reloadingterminal 3 after ascertaining that the card is not being usedfraudulently; and

restrict to the maximum any proliferation of a fraudulent electronicpurse card 1 being used on the basis of an old key K2(p-n) and whichusers conscious of the fraud would not present for validationinspection, whereas users not conscious of any fraud, by presenting itfor validation, could help with the uncovering of fraud.

The comparison of the keys K1(p-n) and K2(p-1) may be immediate, interms of their being identical or coinciding. This comparison may beindirect and then, for instance, the function F uses an additional codestored on the electronic purse card 1, or again the result of thefunction F may be handled by another function using this auxiliary codeor some other parameter, etc.

The sequential numbers (p), (p-1), . . . (p-n), etc., given above to thekeys K1 and K2 are only an indication of their order of succession.According to one method of implementing the invention, the keys K1 andK2 are recorded in their various locations without any sense ofsequential numbering, and the search for, and comparison of, thecoinciding keys K1 and K2 is carried out without any form of guide.Under another form of implementation, sequential numbers (p-n) are givento the keys K1, K2 used successively and linked by the irreversiblefunction F. At the same time as the key K1, K2 is stored in the first orsecond device respectively 7, 8, the sequential number (p-n) of the keyK2 (p-n) is used for the successive search for the key K1(p-n) for thesake of comparison, i.e. in order to find out how many times thefunction F is to be repeated. This sequential number may also be usedfor determining at once, without any is search or comparison, the degreeof age n of the electronic purse card 1 in relation to the aforesaidperiod (p) and for comparing this degree of age with a maximum permitteddegree of age m beyond which the said searches and comparisons arebarred.

Anyone experienced in this art will appreciate that, because of theirreversible function F, at the management center a "last" coded keyK1(end) is set up, and this in principle will be the key of the lastperiod of life, if not of the whole security system 6, then at least ofthe whole of the keys K1(p) and K2(p) linked by the function F, andpossibly also of the function F itself. Finally, the function F isapplied to this key K1(end) to obtain the key K2(end-2) and so on untilone obtains the K1(1) of what has been chosen as the first period. Thiskey K1(1) is then loaded in the payment terminal 2 and, as appropriate,into the reloading terminal 3 and its counterpart for this first periodK2(1) is loaded onto the electronic purse card 1 when it is made orissued. The management center 5 keeps secret either the whole series ofkeys K1(p), K1(1) to K1(end), thus obtained, or at least the lastK1(end) on the basis of which any of the previous keys K1(p) might bereaccessed.

The total number of keys K1(p) in the series must be chosen in orderthat the life of the security system 6, in terms of the coded key, isless than the sum of the corresponding periods or, if the successiveperiods (p) are of the same duration, than the product of the durationof a period and the total number of keys K(p).

One application of this invention for implementation of the processcontemplated therein could involve a simple form of creating a firstdevice 7 mentioned above and comprising, for instance, the components 2,3 and 5 referred to. This first device 7 also consists of:

Key storage means 11 (or a memory) for storing the key K1(p-1) for aperiod (p-1). The key storage means 11 are provided, for instance, inthe payment terminals 2 and in the reloading terminals 3; it also beingpossible for these means to store the keys K1(p-n) relating to at leastcertain previous successive periods in order to limit too frequent arepetition of the function F.

Renewal means 12 for producing a new key K1(p) for the following period(p), for the first device 7. The production means 12 are ideallyprovided at the management center 5 and linked to the storage means 11in order to be able to replace there a key K1(p-1) by the new key K1(p),so that the latter can be linked in each instance to the previous keyK1(p-1) by the aforesaid irreversible function F.

Repetition means 13 for repeating the irreversible function F, linked tothe aforesaid production means 12 and/or to the storage means 11, inorder successively to reaccess the previous keys K1(p-n) of the firstdevice 7.

Comparison means 14 for comparing the renewed keys K1(p) and of the keyK2(p-n) of the second device 8. The comparison means 14 is linked to thestorage means 11.

Means 15, linked to the comparison means 14, for barring access to thewithdrawal of funds from an electronic purse card 1 which has not beenvalidated.

Replacement means 16 for the purpose of replacing, in the storage means17 of the second device 8, the key K2(p-n) stored by a more recent keyK2(p-n') in the successive renewal of keys. The replacement means 16 arelinked to the repetition means 13, for the purpose of receiving a keyreplacement order, and to the means 15 for barring access, for thepurpose, where relevant, of barring the replacement of a key K2(p-n)that is judged to be too old.

The implementation of the invention also involves the second device 8,already explained above, which consists of the storage means 17, which,for the purpose of the reading and recording of the key K2(p-n), may beused in conjunction with terminal 2 or 3. Moreover, when an electronicpurse card 1 is involved, the second device 8 consists of a fundsstorage means 18, of a non-permanent nature, for the "electronic funds"intended:

for the loading of electronic funds by means of the loading means 19,which forms a part of the loading terminal 3 and which may be releasedby the means of barring access 15 of the latter at the time ofvalidation of the card 1 by this terminal 3; and

for the withdrawal of electronic funds through the means of withdrawal20, which forms a part of the withdrawal terminal 2 and which may bereleased by the means 15 for barring access of the latter at the time ofvalidation of the card 1 by this terminal 2.

Under one advantageous form of implementation of the invention, theabove arrangement would also have:

Numbering means 21A, 21B whereby each new key K1(p) is given asequential number (p) in the sequence of production of the keys. Theinitial numbering means 21A is possibly linked to the above-mentionedproduction means 12 and situated in the management center 5 in order tosupply the number (p) of the new key K1(p) for the period (p). Thesecond numbering means 21B is possibly linked to the repetition means 13in order to obtain therefrom the sequential number (p-n') of a morerecent key K2(p-n') chosen to replace the key K2(p-n) stored in thestorage means 17;

In the first device 7, in the terminals 2 and 3, storage means 22 forstoring at least the sequential number (p) of the last key stored K1(p).The storage means 22 are possibly able to delete one or more of theearlier sequential numbers of the deleted keys and linked to the meansof numbering 21A and possibly also 21B for the purpose of receiving fromthe latter the appropriate sequential number (p-n');

In the second device 8, storage means 23 for storing the sequentialnumber (p-n) of the key K2 (p-n) stored in the storage means 17. Thestorage means 23 are possibly used in conjunction with the numberingmeans 21B for receiving the sequential number (p-n); and

Repetition determining means 24 for determining the number ofrepetitions of the irreversible function F necessary for changing fromthe renewed key K1(p), stored in the first device 7 and bearing thesequential number (p), to the key K2(p-n) stored in the second deviceand bearing a lower sequential number (p-n). These repetitiondetermining means 24 are linked to the repetition means 13 for repeatingthe function F before proceeding to a comparison of the keys K1, K2 andthey may be linked to the storage means 22 of the device 7, and used inconjunction with the storage means 23 of the device 8 in order to takethe stored sequential numbers from the latter.

Anyone experienced in this art may choose the components necessary forestablishing the security system 6, including for instance the storageand reading devices for the different means of storage and memorization17, 18 and 23 of the electronic purse card 1.

It must be understood that the invention is not at all limited to theforms of implementation described and that many modifications could bemade to them without departing from the framework of this invention. Forexample, only the means of linking up (not shown) with the electronicpurse 1 for its validation and reloading need to remain in the reloadingterminal 3. At least one part of the other means referred to, those forstorage 11, repetition 13, comparison 14, barring access 15, replacement16, loading 19, numbering 21B and/or memorization 22, could in fact bedeployed in the management center 5 and in this case the means 21A and21B would only be made up of the means 21A. This may be preferablebecause the loading terminals 3 are usually constantly on line with themanagement center 5.

Preferably the comparison of the keys K1 and K2 is not direct, but takesplace by means of a normal coding technique, for instance through the socalled "challenge-response" technique or through one of the techniquesdefined in the international standards ISO/IEC 9798-2 or pr EN1546, withwhich a person experienced in this art would be familiar.

We claim:
 1. A process for verifying the validity of a key K2 using arenewable key K1, the process comprising:renewing the key K1, wherein arenewed key K1(p) is linked to a preceding key K1(p-1) in accordancewith an irreversible function F such that K1(p-1)=F[K1(p)]; firstcomparing the renewed key K1(p) with a key K2(p-n); and if the firstcomparing step does not verify the validity of the key K2(p-n), thensubsequently comparing a preceding key K1(p-k) with the key K2(p-n),where k is an integer greater than or equal to zero.
 2. The process ofclaim 1 further comprising:successively renewing the key K1.
 3. Theprocess of claim 1 wherein k≦m and m is a fixed positive integer.
 4. Theprocess of claim 1 further comprising:if the subsequent comparing stepdoes not verify the validity of the key K2(p-k), then comparing apreceding key K1(p-j) with the key K2(p-n) for one or more positiveinteger values of j satisfying the relations 1≦j≦m where m is a fixedpositive integer and j≠k.
 5. The process of claim 4 wherein k=1 and thecomparing steps are performed iteratively in increasing order of j. 6.The process of claim 4 further comprising:if a comparing step verifiesthe validity of a key K2(p-j) for some value of j, then terminating thecomparing steps.
 7. The process of claim 1 wherein the key K1 isassociated with a first device and the key K2 is associated with asecond device, the process further comprising:barring the second devicefrom access to the first device, if all the comparing steps do notverify the validity of the key K2(p-k).
 8. The process of claim 1wherein the key K1 is associated with a first device and the key K2 isassociated with a second device, the process further comprising:grantingthe second device access to the first device, if a comparing stepverifies the validity of the key K2(p-k).
 9. The process of claim 8further comprising:replacing the key K2(p-k) with a more recent key. 10.The process of claim 9 wherein the more recent key is K2(p-1).
 11. Theprocess of claim 1 wherein the key K1 is associated with a first deviceand the key K2 is associated with a second device, and the second deviceis selected from the group consisting of an electronic purse, a debitcard, a credit card, a smart card, and a chip card.
 12. The process ofclaim 1 wherein the key K1 is associated with a first device and the keyK2 is associated with a second device, and wherein the first device isselected from the group consisting of a payment terminal and a reloadingterminal.
 13. The process of claim 1 wherein the key K1 is a global key.14. A system for verifying the validity of a key K2 of a second deviceusing a renewable key K1 of a first device, the system comprising:asecond device comprising means for storing a version of the key K2; anda first device comprising:key storage means for storing a version of thekey K1; renewing means, linked to the key storage means, for producing arenewed version of the key K1, wherein the a previous version of the keyK1 can be obtained by operating upon the renewed version of the key K1with an irreversible function F; and comparison means, connectable tothe second device, for comparing the stored version of the key K2 to therenewed key K1 and one or more previous versions of the key K1.
 15. Thesystem of claim 14 wherein the first device furthercomprises:replacement means for replacing the key K2 in the seconddevice with a more recent key.
 16. The system of claim 14 wherein thefirst device further comprises:repeating means, linked to the keystorage means, the renewing means and the comparison means, forrepeating the irreversible function F in order to determine the one ormore previous versions of the key K1.
 17. The system of claim 16 whereinthe first device further comprises:numbering means for numbering eachrenewed key; number storage means for storing at least the sequentialnumber of the last key; and repetition determining means, linked to thenumbering means, number storage means and the repeating means, fordetermining a number of repetitions of the irreversible function F. 18.The system of claim 14 wherein the first device further comprises:amanagement central comprising the renewing means; and a terminalcomprising the key storage means and the comparison means.
 19. Thesystem of claim 18 wherein the terminal is selected from the groupconsisting of a payment terminal and a reloading terminal.
 20. Thesystem of claim 18 wherein the first device further comprises:acommunication link between the management center and the terminal.